Systems and methods for distributed network protection

ABSTRACT

By distributing various information and monitoring centers that monitor distributed networks and unauthorized access attempts, it is possible to, for example, more quickly defend against an unauthorized access attempts. For example, a Level 1 monitoring center could monitor a predetermined geographical area serving, for example, a wide variety of commercial and public sites, an organizational structure, or the like, for alarms. Upon analyzing an alarm for various characteristics, the Level 1 monitoring center can refer the unauthorized access attempt to an appropriate Level 2 center for, for example, possible retaliatory and/or legal action. Then, a Level 3 monitoring center can record and maintain an overall picture of the security of one or more networks, the plurality of monitoring centers and information about one or more hacking attempts.

CROSS REFERENCE TO RELATED DOCUMENTS

The present invention is a continuation of U.S. patent application Ser.No. 11/723,793, filed Mar. 22, 2007, now allowed, which is acontinuation of U.S. patent application Ser. No. 11/490,046, filed Jul.21, 2006, now U.S. Pat. No. 7,197,563, which is a divisional of U.S.patent application Ser. No. 09/867,442, filed May 31, 2001, now U.S.Pat. No. 7,089,303, which claims benefit of priority to U.S. ProvisionalPatent Application Ser. No. 60/208,056, filed May 31, 2000, the entiredisclosures of all of which are hereby incorporated by reference herein.

BACKGROUND OF THE INVENTION

1. Field of the Invention

In general, the systems and methods of this invention relate toprotecting distributed networks. In particular, the systems and methodsof this invention relate to protecting distributed networks through ahierarchical analysis and action determination topology.

2. Description of Related Art

The nation's information infrastructure, based in large part on theInternet, has become an integral part of normal business and is becomingcritical to the national security of many countries. The intrusion intopublic and private networks by unauthorized individuals is a majorproblem for many nations. Foreign powers, and a variety of hackers,i.e., individuals or entities who attempt to obtain unauthorized accessto one or more networks or information, continue to develop systems andmethods that interrupt communications, damage files, damage computer andnetwork systems, and gain access to private information. Many tools,such as firewalls, passwords and network security schemes have beendeveloped in an attempt to provide protection to various aspects ofdistributed networks.

SUMMARY OF THE INVENTION

However, in light of the magnitude of the problem, a coordinated effortcould greatly assist in countering the potentially devastating effectsof unauthorized access into private or restricted areas of cyberspace.Furthermore, by coordinating efforts, an exemplary embodiment of thesystems and methods of this invention allow the collection ofinformation on incidents of hacker attacks, analysis and summarizationof such information, identification of the source of these attacks, andappropriate law enforcement or retaliatory acts in response to theseunauthorized attacks.

There are two basic approaches to the development of a distributednetwork protection system. In a first exemplary approach, one or moremonitoring centers act independently of any attacked targets. Thisexemplary system could place sensors at various locations within adistributed network to examine all traffic, or a sampling thereof, forpossible unauthorized access attempts. For example, originationaddresses could be compared to destination addresses to determine if theuser is an authorized user, information could be scanned for profiles ofparticular executable code, or the like. A second exemplary approachwould be to place unauthorized access attempt detection systems atspecific locations within a distributed network. For example, theunauthorized access attempt detection system could be collocated with afirewall of a particular entity on a distributed network, such as theInternet. Alternatively, the unauthorized access attempt detectionsystem could be similar to that used in U.S. Provisional patentapplication No. 60/226,088, entitled “Cyber Hacking Attack Tracing andRetaliation Methods and Systems,” incorporated herein by reference inits entirety. In this exemplary embodiment, the unauthorized accessattempt is detected by these localized monitoring centers therebyrestricting a need to analyze all traffic on the distributed network.With these localized systems, an unauthorized access attempt can bedetected in real-time, and pertinent information regarding the attemptforwarded to a monitoring system for verification and determination ofan appropriate response and/or action.

Accordingly, aspects of the present invention relate to a protectionsystem for a portion of a distributed network. In particular, anexemplary embodiment of the invention provides systems and methods foranalyzing unauthorized access attempts.

A further aspect of the invention relates to determining an appropriateresponse and/or action in response to an unauthorized access attempt.

An additional aspect of the invention relates to establishing ahierarchical monitoring scheme that monitors one or more of informationtraffic and unauthorized access attempt alarms within a distributednetwork.

An additional aspect of the invention relates to distributing monitoringcenters such that the burden of analyzing distributed network trafficand unauthorized access attempt alarms can be performed in real-time ornear real-time.

These and other features and advantages of this invention are describedin or are apparent from the following detailed description of theembodiments.

BRIEF DESCRIPTION OF THE DRAWINGS

The embodiments of the invention will be described in detail, withreference to the following figures wherein:

FIG. 1 illustrates an exemplary embodiment of the distributed networkprotection system according to this invention;

FIG. 2 illustrates an exemplary embodiment of a monitoring centeraccording to this invention;

FIG. 3 illustrates an exemplary method of protecting a distributednetwork according to this invention; and

FIG. 4 is a flowchart outlining a second exemplary method for protectinga distributed network according to this invention.

DETAILED DESCRIPTION OF THE INVENTION

In an exemplary embodiment of this invention, the distributed networkprotection system could be developed as a separate infrastructurecontaining both centralized and distributed databases of hackerinformation such as, profiles, signatures, attack attempt profiles, orthe like. In general, any information that may be of assistance indetermining one or more of the verification of an unauthorized accessattempt and/or the identity of the hacker(s) can be stored in thedatabases. This information can be, for example, generated in responseto alarms received from one or more targets or, for example, amassedthrough an analysis of all or a portion of the traffic within a portionof a distributed network, such as a local area network, the Internet, aprivate network, a wide area network, or the like. In this exemplaryembodiment, the multi-layered distributed network protection systemutilizes, for example, real-time unauthorized access attempt alarms fromone or more secured sites. The secure sites would report unauthorizedaccess attempts to the distributed network protection system that could,for example, maintain databases of known attackers and their methods,and could be capable of analysis of multiple ongoing attacks ondifferent secured sites, tracking origins of these attacks, documentingthe attacks for possible future prosecution, and supporting retaliatorymeasures if warranted.

By distributing various information pertaining to the distributednetwork and unauthorized access attempts, it is possible to, forexample, more quickly defend against an unauthorized access attempt byinstituting a series of distributed monitoring centers dedicated tospecific portions of the distributed network. For example, a Level 1monitoring center could monitor a predetermined geographical areaserving, for example, a wide variety of commercial and public sites, oran organizational structure serving, for example, such institutions aslaw enforcement, Department of Defense, Armed Forces, the government,commercial organizations, e-commerce or the like. An exemplary Level 1monitoring system could focus monitoring on attacks within defined cyberboundaries. These monitoring centers could receive information on anattack in progress and optionally a referral feature enabling themonitoring center to pose as the attacked site to the attacker for thepurposes of, for example, positive identification of the attacker. Upona triggering event, such as a predetermined number of received alarms, apredetermined number of positive hacked identifications, or any otherthreshold, the Level 1 monitoring center can refer the unauthorizedaccess attempt to an appropriate Level 2 center for possible retaliatoryand/or legal action.

Level 2 centers could receive, for example, referrals from Level 1monitoring centers and make a decision on possible retaliatory actionand/or other action if warranted, for example, by the nature of theattack. These Level 2 centers could also receive and analyze cumulativeinformation on unauthorized access attempts from underlying Level 1monitoring centers within, for example, predefined geographic,organizational, cyber boundary, or the like.

Level 3 monitoring centers could collect and analyze information fromLevel 2 monitoring centers to, for example, monitor the overall securitycondition of a distributed network, such as the national cyberspace ofone or more countries.

However, while the above example illustrates a three tiered monitoringcenter scheme, the number of monitoring center levels and the tasksassigned to those levels can be varied depending on, for example, thespecific implementation of the distributed network protection system, orthe like.

Unauthorized access attempt attack alerts can be generated in at leasttwo different ways. First, for example, all traffic through a givenportion of a distributed network is monitored for unauthorized accessattempts. Secondly, portions of a distributed network can be monitoredwith unauthorized access attempt detection systems that can forward analarm to, for example, one or more Level 1 type monitoring centers andthe unauthorized access attempt “handed-off” to a higher levelmonitoring center when an escalation parameter(s) is satisfied to, forexample, perform further action, or the like. The hand-off couldinclude, for example, information such as the destination address of theattacked target, the source address for the last clearing hop of thehacker, a copy of the pertinent part of the attacking packet, or anyother information relevant to the unauthorized access attempt.Furthermore, other unauthorized access attempt protection systems, suchas systems embedded in a firewall or operating system based protectionpresent at the target site could gather other information about theunauthorized access in real-time or near realtime and provide thisinformation to one or more of the monitoring centers. Additionally, suchlocalized intrusion attempt detection systems could provide, forexample, information regarding a suspected attack, or the like.

An exemplary embodiment of the distributed network protection systemcould also include one or more distributed and/or centralized databases.For example, a centralized database could be located at a Level 3monitoring center, whereas both Level 1 and Level 2 monitoring centerscould maintain their own distributed databases linked to the centraldatabase at the Level 3 monitoring center. These databases can obviouslyinclude various protection schemes to shield unauthorized access tousers and to conduit host data, detailed hacker data, sanitized attackerdata, and law-enforcement data and links, or the like. By distributingthe functionality and the resources of the monitoring centers in thisway, there is a greater chance of being able to verify that theunauthorized access attempt is real and react to the unauthorized accessattempt in real-time thereby, for example, providing greater security toa portion of the protected distributed network.

Current cyber-protection systems employ difficult and labor-intensiveinvestigative techniques. Furthermore, current cyber-protection systemsdo not operate in real-time, therefore increasing the difficulty oftracing the origin of the attack becomes more difficult given theincreasing sophistication of the attackers who employ various techniquesto cover their tracks. This is further complicated by the fact thathackers usually do not use direct attempts to penetrate a target.Typically, a hacker will route the attack information through severalhosts using each host as a conduit through which one or more attacks arelaunched.

The origin of an unauthorized access attempt can be most effectivelytraced in real-time, i.e., during the course of the attack. Whileattackers often use various methods to disguise the real origin of theattack, there is at least one fundamental requirement for any hackingattack to succeed that can be used for tracking its origin. Indeed,except for a denial of service attack, hacking by its nature requires atarget system's response to attacking packets be received by theattacker directly or indirectly. This means that no matter howsophisticated a disguise mechanism is, the attacking system makes itselfavailable to receive such a response. This vulnerability can be utilizedeffectively for tracking an unauthorized access attempt.

Specifically, unauthorized access attempt tracking can be doneautonomously, by, for example, a monitoring center, without necessarilyimplementing a surveillance scheme. In this exemplary embodiment, when ahacking attack is detected and confirmed as a hostile act, a concealedprogram can be embedded in the response to the attacker. When theattacking station, e.g., one or more computers operated by a hacker,receives the target station's response, the concealed program could actlike a worm within the attacking station(s). This worm can determine if,for example, the attacking station has a hostile intent, and, if theintent is confirmed, secretly forward the identification, such as an IPaddress, to the target station or monitoring center.

In other words, in the case of an HTML page being sent as a response toa hacking attack, the page can contain a worm, such as an embeddedportion of executable code, Java® script, cookie, or the like, whichcould be invisible to a viewer and, for example, probe the hackerscomputer for specific information. Alternatively, a disguised requestthat could confirm hostile intent could be included in a HTML page. Forexample, if the target system does not employ a particular feature, afake request for such a feature could be made. By the act of attemptingto enter or respond to this feature, the attacker confirms that they arenot familiar with the target system and they are trying to enter thesystem in an unauthorized manner. The concealed program, or worm, couldthen be triggered if an attacker enters any response. This concealedprogram could then instruct the attacker's browser, or other comparabledevice, to secretly send the attacker's true identity to a predetermineddestination, such as a specific IP address. This IP address could, forexample, be passed along to a predetermined monitoring center along withany other pertinent information gathered about the hacker.

For certain attacks, then autonomous method, such as the one describedabove, may not produce the desired result. In such instances, a morecomplex method involving cooperative reporting systems could beutilized. This would require, for example, full cooperation between oneor more distributed network protection systems, and, for example,private and government information technology communities. Using thisexemplary method, a target, having confirmed a hacking attack, couldinclude a flag concealed into its response. Then, participating nodesand conduit hosts could be supplied and updated with this hacker relatedvalidated information so that the participating entities can detectpassage of the flag and, for example, record information related to theflag and associated data. In this way, even though an attacker may haveremoved the information relating to the true origin of the attack byusing several intermediary computer systems, the attacker would stillneed to eventually receive the information about the target eitherdirectly or indirectly. In other words, no matter how many intermediatesteps the attacker uses, or what method of communication is used, theflagged, or otherwise identified, packet would still reach the attackingstation and would trigger, for example, reporting, showing the path tothe attacker. In actuality, the more steps the attacker takes todisguise their origin actually increases the chance of detection giventhe exposure in multiple nodes between the additional intermediarycomputing devices.

The two systems, used in conjunction, can cover a broad spectrum ofattacks. The long-range attacks with many hops are vulnerable to flagdetection at intermediate nodes, while closer range attacks are morevulnerable to direct detection. These techniques avoid the need forgeneral surveillance of individual packets flowing through internetnodes in an effort to track hackers attempting to break into a protectednetwork. It also allows for the protection of the integrity of privateinformation, since all of the information regarding the hacker can berelayed voluntarily to, for example, law enforcement personnel, from,for example, the host detecting the hacker and/or one or more monitoringcenters.

In addition to the monitoring systems according to exemplary embodimentsof this invention, a retaliatory cyber attack, i.e., counter attack, canbe launched at any time after commencement of the unauthorized accessattempt. An attacker is most vulnerable to a counter attack during theirown attack, since the attacker generally has to substantially removetheir system's defensive mechanism. Accordingly, an exemplary embodimentof this invention takes advantage of the hacker's weaknesses and allowsthe performing of counter attacks in near real-time. Specifically, whena decision on retaliation has been made, for example, by law enforcementpersonnel, and after confirmation of the attacker's origin, aretaliatory action can be launched. In particular, for example, aconcealed program could be embedded into a response to the attacker suchas embedded in an HTML page. The program could contain code similar tothose found in destructive viruses. The triggering mechanism could be,for example, embedded with additional levels of verification to ensurethe hostile intent, identity, or the like, of the attacker. For example,a false request for a password could be made while the target systemdoes not employ password-based security features. By entering anypassword, or otherwise responding to the request, the attacker couldconfirm that the attacker is in fact not familiar with the protocols ofthe target system, and therefore, is an unauthorized user. At the sametime, entering any response to, for example, the password could triggerthe concealed destructive program that can, for example, destroy filesand/or the operating system of the attacker's computer.

Additionally, in an exemplary embodiment of this invention, the targetedsystem could act as a conduit to relay response information, such aspackets, returned to the hacker from one or more of the monitoringcenters to retain the original targeted addresses. These responsepackets may contain flags or retaliation codes as described above,depending on the analysis and the decision made by one or more of themonitoring centers. The restricted tunnel may be implemented using acommercial VPN, a dedicated link with or without encryption, or thelike.

FIG. 1 illustrates an exemplary distributed network protection system100. The distributed network protection system 100 comprises one or moremonitoring centers 200, one or more targets 300, and an hacker 400 beingconnected by links 5 and one or more distributed networks 10. Thedistributed network protection system 100 can also be connected to oneor more other distributed network protection systems and is scalabledepending on the particular implementation. Additionally, while thehacker 400 is illustrated as a single entity, it should be appreciatedthat the hacker 400 can be one or more devices, computers or entities,and can be located at one or more geographic or cyber locations.

While the exemplary embodiment illustrated in FIG. 1 shows thedistributed network protection system 100 and associated componentscollocated, it is to be appreciated that the various components of thedistributed network protection system can be located at distant portionsof a distributed network, such as a local area network, a wide areanetwork, an intranet, and/or the Internet, or within a dedicateddistributed network protection system. Thus, it should be appreciatedthat the components of the distributed network protection system can becombined into one device or collocated on a particular node of adistributed network. Furthermore, it should be appreciated that for easeof illustration, the various functional components of the distributednetwork protection system have been divided as illustrated in FIG. 1.However, any of the functional components illustrated in FIG. 1 can becombined without affecting the operation of the system. As will beappreciated from the following description, and for reasons ofcomputational efficiency, the components of the distributed networkprotection system can be arranged in any location within a distributednetwork without affecting the operation of the system.

Furthermore, the links 5 can be a wired or wireless link or any otherknown or later developed element(s) that is capable of supplying andcommunicating electronic data to and from the connected elements.Additionally, the distributed network protection system can comprise oneor more input devices (not shown) that can include, for example, akeyboard, a mouse, a speech text converter, a stylus, or the like. Ingeneral, the input device can be any device capable of communicatinginformation to the distributed network protection system 100.Furthermore, the distributed network protection system 100 can compriseone or more display devices (not shown) such as a computer monitor, adisplay on a PDA, or any other device capable of displaying informationto one or more users.

The monitoring centers 200 monitor one or more of traffic and/or alarmsreceived from one or more targets 300. The targets 300 can be aparticular node on a distributed network, such as a single entity, orcould be scalable, such that the target could be defined based on, forexample, a geographic location having a plurality of entities, acountry, a portion of an IP address, or the like. In general, thetargets 300 can be any device, entity or portion of a distributednetwork, for which protection is desired. Furthermore, alarms receivedfrom the one or more targets 300 can be localized and/or distributedbased on the particular implementation specifics.

In operation, for a first exemplary embodiment, in which the individualtargets 300 perform an initial unauthorized access attempt detection 20,the target 300 forwards alarm information 30 to one or more monitoringsystems 200. The monitoring system 200 optionally commences logging aportion of the transactions with the target 300, and hence, the hacker400. The monitoring center 200 then identifies the source of the attackand verifies the intrusion attempt as discussed above. For example,using various techniques, the monitoring center 200 can initiate variouscommunications with the hacker 400 in an attempt to verify theauthenticity of the unauthorized access attempt. If monitoring system200 determines that the communications with the target are anunauthorized access attempt, the monitoring system 200 can enter ananalysis mode where all or a portion of the communications from thehacker 400 are analyzed to, for example, determine the identity of thehacker, the source of attack, hacking patterns, characteristics of thehack attempt, or the like. Upon determining, for example, the identityand/or location of the hacker, the monitoring system 200 can determineany necessary responsive action that may be appropriate. Depending onthe nature of the responsive action, the monitoring center 200 canescalate the unauthorized access attempt to another monitoring centerhigher in the chain. As previously discussed, the Level 2 monitoringcenter could, for example, make any decisions regarding possibleretaliatory action, compare the referral from the Level 1 monitoringcenter to other unauthorized access attempts from other Level 1 centers,carry out retaliatory action, or the like.

FIG. 2 illustrates an exemplary monitoring center 200. The monitoringcenter 200 comprises an I/O interface 210, a controller 220, a memory230, a database 240, a response system 250, an intrusion analysis system260, an intrusion reaction system 270, and an escalation determinationsystem 280, all interconnected by link 5. Additionally, the monitoringcenter 200 can be connected to one or more other monitoring centersand/or targets 300 via network 10 and the links 5.

Upon receiving an alarm from one or more targets, the monitoring center200, in cooperation with the I/O interface 210, the controller 220, thememory 230, and the intrusion analysis system 260, determines theaccuracy of the alarm. In particular, the intrusion analysis system 260,in cooperation with database 240, analyzes the intrusion attempt andcompares it to, for example, historical profiles and/or other previousattempts, or communicates with other monitoring centers to determinewhether other targets are being attacked with the same or similarunauthorized access requests. Upon verification of the attack, theintrusion analysis system 260, in cooperation with intrusion interactionsystem 270, the I/O interface 210, the controller 220 and the memory230, can engage the one or more hackers 400 in an attempt to determinethe source of the attack. Then, for example, depending on the scale andsuccess of the attack, the identity of the attacker, and the number ofprevious attack attempts, the escalation determination system 280 candetermine whether, for example, retaliatory action, law enforcementprocedures, or the like, should be taken. If it is determined thatfurther action need be taken, the monitoring center 200 can escalate thealarm, and any related alarm information, to another monitoring centerhigher, for example a Level 2 monitoring center, in the hierarchy.Alternatively, the monitoring center 200 which received the alarm, incooperation with the response system 250, the I/O interface 210, thecontroller 220 and memory 230 can, for example, forward variousnotification messages to the one or more affected or unaffected targets,notifications to one or more other monitoring centers at various levelsin the hierarchy, or the like.

FIG. 3 illustrates an exemplary embodiment of protecting a distributednetwork according to this invention. In particular, control begins instep S100 and continues to step S110. In step S110, an alarm signal isreceived from one or more targets. Next in step S120, logging of all ora portion of the information to and/or from the attacked target iscommenced. However, it is to be understood that the logging can beperformed in a controlled manner where, for example, repetitive eventsare not logged and thresholds set governing the extent of the logging.Control then continues to step S130.

In step S130, a determination is made whether the alarm information isbeing forwarded from another monitoring center. If the alarm informationis being forwarded from another monitoring center, such as from a Level1 monitoring center to a Level 2 monitoring center, control jumps tostep S180. Otherwise, control continues to step S140.

In step S140, the source of the attack is identified. Next, in stepS150, the communications with the target are verified as an unauthorizedaccess attempt. Then, in step S160, if the communications with thetarget are determined to be an unauthorized access attempt, controljumps to step S180. Otherwise, control optionally continues to step S170where, for example, a message is forwarded to the target indicating, forexample, there has been a false alarm.

In step S180, the unauthorized access attempt is analyzed. Next, in stepS190, any responsive action is determined. Control then continues tostep S200, where the control sequence ends.

FIG. 4 illustrates a second exemplary embodiment for protecting adistributed network according to this invention. In particular, in thisexemplary embodiment, one or more monitoring centers are responsible fordetecting unauthorized access attempts. Specifically, control begins instep S400 and continues to step S410. In step S410, network traffic on aportion of a distributed network is analyzed. Next, in step S420, adetermination is made whether an unauthorized access attempt has beendetected. If no unauthorized access attempt has been detected, controlcontinues to step S430. Otherwise, control jumps back to step S410.

In step S430, logging of, for example, all communications from aparticular origin to a particular destination are recorded. Next, instep S440, a determination is made whether information regarding theunauthorized access attempt has been forwarded or received by anothermonitoring center. If the alarm information has been escalated fromanother monitoring center, control jumps to step S480, where, forexample, the gathered information can be compared, analyzed, or thelike. Otherwise, control continues to step S450. In step S450, thesource of the attack is identified. Next, in step S460, the intrusionattempt is verified. Then, in step S470, an optional message can be sentto the target indicating an intrusion attempt is underway. Control thencontinues to step S480.

In step S480, the unauthorized access attempt can be analyzed, andcompared to, for example, other unauthorized access attempts, or thelike. Next, in step S490, responsive action to the unauthorized accessattempt is determined. Control then continues to step S500 where thecontrol sequence ends.

As illustrated in FIGS. 1-2, the distributed network protection systemcan be implemented either on a single programmed general purposecomputer or a separate programmed general purpose computer. However, thedistributed network protection system can also be implemented on aspecial purpose computer, microprocessor or microcontroller andperipheral integrated circuit element, an ASIC or other integratedcircuit, a digital signal processor, a hardwired electronic or logiccircuit, such as a discrete element circuit, a programmable logic devicesuch as a PLD, PLA, FPGA, PAL, or the like. In general, any devicecapable of implementing a finite state machine that is in turn capableof implementing the flowcharts in FIGS. 3-4 can be used to implement thedistributed network protection system according to this invention.

Furthermore, the disclosed method may be readily implemented in softwareusing object or object-oriented software development environments thatprovide portable source code that can be used on a variety of computeror workstation hardware platforms. Alternatively, the discloseddistributed network protection system may be implemented partially orfully in hardware using standard logic circuits or VLSI design. Whetherhardware or software is used to implement the systems and methods inaccordance with this invention is dependent on the speed and/orefficiency requirements of the system, the particular function, and theparticular software and/or hardware systems or microprocessor ormicrocomputer systems being utilized. The distributed network protectionsystem illustrated herein, however, can be readily implemented inhardware and/or software using any known or later-developed systems orstructures, devices and/or software by those of ordinary skill in theapplicable art from the functional description provided herein and witha general basic knowledge of the computer arts.

Moreover, the disclosed methods may be readily implemented as softwareexecuted on a programmed general purpose computer, a special purposecomputer, a microprocessor or the like. In these instances, the methodsand systems of this invention can be implemented as a program embeddedin a personal computer, a piece of executable code, or the like, such asa Java® or CGI script, as an cookie, as a resource residing on a serveror graphics workstation, as a routine embedded in a dedicateddistributed network protection system, or the like. The distributednetwork protection system can also be implemented by physicallyincorporating the systems and methods into a hardware and/or softwaresystem, such as the hardware and software systems of a computer ordedicated distributed network protection system.

The devices and subsystems of the exemplary embodiments of FIGS. 1-4 caninclude computer readable medium or memories for holding instructionsprogrammed according to the teachings of the present invention and forholding data structures, tables, records, and/or other data describedherein. Computer readable medium can include any suitable medium thatparticipates in providing instructions to a processor for execution.Such a medium can take many forms, including but not limited to,non-volatile media, volatile media, etc. Non-volatile media can include,for example, optical or magnetic disks, magneto-optical disks, and thelike. Volatile media can include dynamic memories, and the like.Transmission media can include coaxial cables, copper wire, fiberoptics, and the like. Common forms of computer-readable media caninclude, for example, a floppy disk, a flexible disk, hard disk,magnetic tape, any other suitable magnetic medium, a CD-ROM, CDRW, DVD,any other suitable optical medium, a RAM, a PROM, an EPROM, aFLASH-EPROM, any other suitable memory chip or cartridge, or any othersuitable medium from which a computer can read.

It is, therefore, apparent that there has been provided, in accordancewith the present invention, systems and methods for protectingdistributed networks. While this invention has been described inconjunction with a number of embodiments, it is evident that manyalternatives, modifications and variations would be or are apparent tothose of ordinary skill in the applicable art. Accordingly, applicantsintend to embrace all such alternatives, modifications and variationsthat are within the spirit and scope of this invention.

1. A communications network protection system, the system comprising:one or more computers or devices of a protected communications networkthat serve as a target of a hacker attack over a communications network;first through third level monitoring centers for receiving informationregarding hacker attacks in a geographical area or an organizationalstructure corresponding to the protected communications network, and fordetermining appropriate retaliatory or legal action against the hackerattacks; and one or more distributed databases linked to a centralizeddatabases and located within respective of the first and second levelmonitoring centers for maintaining respective information regardingmonitored hacker attacks in the geographical area or the organizationalstructure corresponding to the protected communications network, and thedetermined appropriate retaliatory or legal action against the hackerattacks.
 2. The system of claim 1, wherein the hacker attacks aredetermined by the first level monitoring centers based on real-timeunauthorized access attempt alarms received from the protectedcommunications network.
 3. The system of claim 1, wherein thegeographical area includes commercial and public sites corresponding tothe protected communications network.
 4. The system of claim 1, whereinthe organizational structure includes law enforcement, Department ofDefense, Armed Forces, government, commercial organizations, ore-commerce sites corresponding to the protected communications network.5. The system of claim 1, wherein, based on a referral from a site ofthe protected communications network that is attacked, one of the firstthrough third level monitoring centers poses as the attacked site to anattacker for positive identification of the attacker, and once thehacker attack is confirmed, the attacked site or one of the first levelmonitoring centers sends a response to the attacker and including aconcealed flag in the response for detection of the response via theflag, as the response passes through the protected communicationsnetwork, for identifying the origin of the hacker attack and locationsof previous attacks related to the hacker attack.
 6. The system of claim1, wherein the second level monitoring centers receive referrals fromthe first level monitoring centers and make a decision on possibleretaliatory action or other action if warranted based on a nature of anattack.
 7. The system of claim 1, wherein the third level monitoringcenters collect and analyze information received from the second levelmonitoring centers to monitor the overall security condition of theprotected communications network, including a national cyberspace of oneor more countries.
 8. The system of claim 1, wherein the protectedcommunications network includes one or more unauthorized access attemptdetection systems for determining the hacker attacks and reporting thehacker attacks to the first level monitoring centers.
 9. The system ofclaim 8, wherein the unauthorized access attempt detection systems areembedded in a firewall or operating system of the protectedcommunications network to gather information about an unauthorizedaccess in real-time or near real-time and provide the gatheredinformation to the first level monitoring centers.
 10. The system ofclaim 1, wherein the centralized and distributed databases includemechanisms to shield from unauthorized access, to host data, to storedetailed data regarding a hacker or attacker, and to store dataregarding law enforcement and links to law enforcement agencies.
 11. Acommunications network protection method, the method comprising:providing one or more computers or devices of a protected communicationsnetwork that serve as a target of a hacker attack over a communicationsnetwork; receiving, via first through third level monitoring centers,information regarding hacker attacks in a geographical area or anorganizational structure corresponding to the protected communicationsnetwork; determining, via the first through third level monitoringcenters, appropriate retaliatory or legal action against the hackerattacks; and maintaining via one or more distributed databases linked toa centralized databases and located within respective of the first andsecond level monitoring centers, respective information regardingmonitored hacker attacks in the geographical area or the organizationalstructure corresponding to the protected communications network, and thedetermined appropriate retaliatory or legal action against the hackerattacks.
 12. The method of claim 11, wherein the hacker attacks aredetermined by the first level monitoring centers based on real-timeunauthorized access attempt alarms received from the protectedcommunications network.
 13. The method of claim 11, wherein thegeographical area includes commercial and public sites corresponding tothe protected communications network.
 14. The method of claim 11,wherein the organizational structure includes law enforcement,Department of Defense, Armed Forces, government, commercialorganizations, or e-commerce sites corresponding to the protectedcommunications network.
 15. The method of claim 11, wherein, based on areferral from a site of the protected communications network that isattacked, one of the first through third level monitoring centers posesas the attacked site to an attacker for positive identification of theattacker, and once the hacker attack is confirmed, the attacked site orone of the first level monitoring centers sends a response to theattacker and including a concealed flag in the response for detection ofthe response via the flag, as the response passes through the protectedcommunications network, for identifying the origin of the hacker attackand locations of previous attacks related to the hacker attack.
 16. Themethod of claim 11, wherein the second level monitoring centers receivereferrals from the first level monitoring centers and make a decision onpossible retaliatory action or other action if warranted based on anature of an attack.
 17. The method of claim 11, wherein the third levelmonitoring centers collect and analyze information received from thesecond level monitoring centers to monitor the overall securitycondition of the protected communications network, including a nationalcyberspace of one or more countries.
 18. The method of claim 11, whereinthe protected communications network includes one or more unauthorizedaccess attempt detection systems for determining the hacker attacks andreporting the hacker attacks to the first level monitoring centers. 19.The method of claim 18, wherein the unauthorized access attemptdetection systems are embedded in a firewall or operating system of theprotected communications network to gather information about anunauthorized access in real-time or near real-time and provide thegathered information to the first level monitoring centers.
 20. Themethod of claim 11, wherein the centralized and distributed databasesinclude mechanisms to shield from unauthorized access, to host data, tostore detailed data regarding a hacker or attacker, and to store dataregarding law enforcement and links to law enforcement agencies.
 21. Acomputer program product for communications network protection,including one or more computer readable instructions stored on acomputer readable medium and configured to cause one or more computerprocessors to perform the steps of: providing one or more computers ordevices of a protected communications network that serve as a target ofa hacker attack over a communications network; receiving, via firstthrough third level monitoring centers, information regarding hackerattacks in a geographical area or an organizational structurecorresponding to the protected communications network; determining, viathe first through third level monitoring centers, appropriateretaliatory or legal action against the hacker attacks; and maintainingvia one or more distributed databases linked to a centralized databasesand located within respective of the first and second level monitoringcenters, respective information regarding monitored hacker attacks inthe geographical area or the organizational structure corresponding tothe protected communications network, and the determined appropriateretaliatory or legal action against the hacker attacks.
 22. The computerprogram product of claim 21, wherein the hacker attacks are determinedby the first level monitoring centers based on real-time unauthorizedaccess attempt alarms received from the protected communicationsnetwork.
 23. The computer program product of claim 21, wherein thegeographical area includes commercial and public sites corresponding tothe protected communications network.
 24. The computer program productof claim 21, wherein the organizational structure includes lawenforcement, Department of Defense, Armed Forces, government, commercialorganizations, or e-commerce sites corresponding to the protectedcommunications network.
 25. The computer program product of claim 21,wherein, based on a referral from a site of the protected communicationsnetwork that is attacked, one of the first through third levelmonitoring centers poses as the attacked site to an attacker forpositive identification of the attacker, and once the hacker attack isconfirmed, the attacked site or one of the first level monitoringcenters sends a response to the attacker and including a concealed flagin the response for detection of the response via the flag, as theresponse passes through the protected communications network, foridentifying the origin of the hacker attack and locations of previousattacks related to the hacker attack.
 26. The computer program productof claim 21, wherein the second level monitoring centers receivereferrals from the first level monitoring centers and make a decision onpossible retaliatory action or other action if warranted based on anature of an attack.
 27. The computer program product of claim 21,wherein the third level monitoring centers collect and analyzeinformation received from the second level monitoring centers to monitorthe overall security condition of the protected communications network,including a national cyberspace of one or more countries.
 28. Thecomputer program product of claim 21, wherein the protectedcommunications network includes one or more unauthorized access attemptdetection systems for determining the hacker attacks and reporting thehacker attacks to the first level monitoring centers.
 29. The computerprogram product of claim 28, wherein the unauthorized access attemptdetection systems are embedded in a firewall or operating system of theprotected communications network to gather information about anunauthorized access in real-time or near real-time and provide thegathered information to the first level monitoring centers.
 30. Thecomputer program product of claim 21, wherein the centralized anddistributed databases include mechanisms to shield from unauthorizedaccess, to host data, to store detailed data regarding a hacker orattacker, and to store data regarding law enforcement and links to lawenforcement agencies.